#!/bin/bash # # dostats # # bash script to automate the analysis summary files. # # Nick DeBaggis # ROOT_UID=0 if [ "$UID" -ne "$ROOT_UID" ] then echo "Only root can do that." exit 1 fi echo "summarizing scan traffic..." tethereal -nr 0826\@19-snort.log \ | ./sumsrcdst > traffic.stats echo "creating attacker binary log..." tethereal -nr 0826\@19-snort.log \ "ip.src != 192.168.0.99" -w attacker.log echo "creating victim binary log..." tethereal -nr 0826\@19-snort.log \ "ip.src == 192.168.0.99" -w victim.log echo "summarizing attacker tcp flags..." tethereal -nr attacker.log \ | ./sumflags > flags.attacker echo "summarizing victim tcp flags..." tethereal -nr victim.log \ | ./sumflags > flags.victim echo "determining open ports on victim..." tethereal -nr victim.log \ "tcp.flags == 0x12" \ | ./sumports > openports.victim echo "summarizing attacker packet timings..." tethereal -nr attacker.log \ | ./sumtiming > timings.stats echo "summarizing snort alerts..." snort -r 0826\@19-snort.log -c /etc/snort/snort.conf > /dev/null 2>&1 ./sumalerts /var/log/snort/alert > alerts.stats echo "determining scan1 attack ports..." tethereal -nr 0826\@19-snort.log \ "frame.number < 148007 && tcp && ip.src != 192.168.0.99" \ | ./sumscanports > scan1.ports echo "determining scan2 attack ports..." tethereal -nr 0826\@19-snort.log \ "frame.number > 148006 && frame.number < 150753 && tcp && ip.src != 192.168.0.99" \ | ./sumscanports > scan2.ports echo "determining scan3 attack ports..." tethereal -nr 0826\@19-snort.log \ "frame.number > 150752 && frame.number < 153251 && tcp && ip.src != 192.168.0.99" \ | ./sumscanports > scan3.ports echo "determining scan4 attack ports..." tethereal -nr 0826\@19-snort.log \ "frame.number > 153250 && frame.number < 155987 && tcp && ip.src != 192.168.0.99" \ | ./sumscanports > scan4.ports echo "determining scan5 attack ports..." tethereal -nr 0826\@19-snort.log \ "frame.number > 155986 && tcp && ip.src != 192.168.0.99" \ | ./sumscanports > scan5.ports echo "determining attacker OS..." p0f -s ./attacker.log 2> /dev/null | ./sump0f > attacker.os echo "done" exit 0